SEP: Add `media-src` to CSP

[aharvard]

Can we add media-src so apps can play video and audio?

4. Content Security Policy Enforcement
Hosts MUST enforce Content Security Policies based on resource metadata.

CSP Construction from Metadata:

const csp = resource._meta?.ui?.csp;

const cspValue = `
  default-src 'none';
  script-src 'self' 'unsafe-inline';
  style-src 'self' 'unsafe-inline';
  connect-src 'self' ${csp?.connectDomains?.join(' ') || ''};
  img-src 'self' data: ${csp?.resourceDomains?.join(' ') || ''};
  font-src 'self' ${csp?.resourceDomains?.join(' ') || ''};
  frame-src 'none';
  object-src 'none';
  base-uri 'self';
`;

I discovered this issue today while using MCP Jam Inspector to build an MCP App version of my bubble wrap app. MCP Jam may be following the draft spec verbatim, and the spec does not call out media-src. MCPJam/inspector#1028

[idosal]

Thanks @aharvard, great catch!